Details
Alert ID 40040-3
Alert Type Active
Status beta
Risk High
CWE 942
WASC 14
Technologies Targeted All
Tags CWE-942
OWASP_2017_A05
OWASP_2021_A01
POLICY_QA_FULL
POLICY_QA_STD
WSTG-V42-CLNT-07
More Info Scan Rule Help

Summary

This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent. In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites). A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).

Solution

If a web resource contains sensitive information, the origin should be properly specified in the Access-Control-Allow-Origin header. Only trusted websites needing this resource should be specified in this header, with the most secured protocol supported.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/CorsScanRule.java